Listen to Kanuj Behl, Cloud Architect at Nutanix, discuss how Nutanix provides simplicity, stability, and scalability for Splunk deployments.
Speaker 1: On behalf of Nutanix, and Carahsoft, we would like to welcome you to today's podcast focused around unleash your data with Nutanix for Splunk, where Kanuj Behl, cloud architect at Nutanix. We'll discuss how Nutanix provides simplicity, stability and scalability for Splunk deployments.
Kanuj Behl: I've been at Nutanix here, or six years. And prior to that, I've actually spent time the contractor at Homeland Security, doing virtualization and virtualization architecture. So been in this field for over two decades, at this point, working on enterprises working on government federal data, as well. And that's kind of what we're here to talk about. So how Splunk works, and how Nutanix how Splunk on Nutanix kind of works together. And the reason behind this is that data in general, has become vastly increased. Over the last few years, there's a lot of data coming in, whether that's from user desktops, whether that's from firewalls, that's from servers, all of our data comes in and has to be stored has to be managed, has to be analyzed. So if you think about how you call that all that data comes in, in order to be able to use it, you have to process it. And with all the back mounts of data that you come in real time, alerting via real time analytics of that data becomes very, very difficult because of just the quantity of the data that's coming in. And that trend is only going to be increasing. If you look at that IDC prediction that data creation is going to grow 9x, between 2014 and 2023, we're kind of coming to the very end of that timeframe, the data seems to increase even further. I have customers that are using Splunk for years and have been at a certain ingest level. But over the last year or two, that data ingest have gone up like 510 15 times what they were doing just because of the different things that are being collected. Now, so many more devices that are connected, so many more devices that are producing data, everything coming in, everything has to be stored, everything has to be analyzed, and has to be analyzed in a way that's useful meaningful to someone making a decision on what to do with that data in general. All that complexity, all of that data just leads to a lot of different places where they can slow down where things can cramp up, and can break, you know that lack of stability, because the lead to poor user experience for folks that are actually trying to get information out of that data, and just poor performances, because it's got to be spread around so many different ways, in so many different ways, whether you're talking about computer or whether you're talking about sport. So lots of different issues with stability, lots of different issues with scalability, because things are only meant to handle a certain amount of scale. Once you hit that scale of what do you do, you end up having to go to lift and shift into something that will hold more capacity or provide more performance. And because you're in that conference state of flux between managing, troubleshooting scaling, you slow down into what you can actually produce at the end of the day, and bring value to it at the end of the day. If you think about a typical Splunk request process, and now we were using Splunk. And you want to get data on your data. So you want to be able to get a report, you want to be able to get a dashboard, you know, you make the request. And at the end, you're expecting something to come to you as usable. There's a lot of different things in the way coming from the request to the actual output depend on your infrastructure and how each step of the way there can take hours weeks a day that involves multiple teams, you got your sports team, you got your management team, you've got your server team, in some cases of virtualization, your OSS and then finally your application, before you get something usable, because you're interested in the data at the end, not necessarily what goes on in the middle along the way, your administrator you care about the middle because that's the piece that you control. But at the end of the day, the user just wants to get the report just wants to get their dashboard. And most of the stuff because it takes so long real time data goes out the window. So this is where Nutanix comes into play. So that middle piece is really what Nutanix has been focusing on. Since 2009, we've come to the point where our hyper converged infrastructure is more or less ubiquitous across the field. We've gotten lots of accolades from all the different analysts out there. So for all-intensive purposes, what Nutanix has created is a multi-cloud platform, the core of which is the hyper converged infrastructure services where all of the different pieces, data development and user, remote office analytics, cloud native, all of those things are just services and just little feature sets that you turn on that live on top of that multi-cloud platform that Nutanix provides in general. And that platform is now not only limited to just on prem private cloud, but provide that seamless experience in the public cloud as well, with our, with our services in the public cloud spaces today as well. So why Splunk on Nutanix? What are we really doing, that makes it simpler, easier, scalable, to use. So a typical Splunk use case can be terabytes of daily ingest, we have customers, again, that I mentioned that will do, you know, 510 2030 gigs of data per day, into the hundreds. And then we have customers that do 10 1520 terabytes of ingest a day. And all of that is accelerated because of the way that Nutanix increases the compute the storage capacity, we use a more or less in Lego building block approach from getting to your initial onset of your footprint in for Nutanix. And then from there to be able to scale out to however large of an enterprise you want to be able to support at the end, we support be able to do petabytes of data in terms of retention support going from pilot to production, again, using a building block approach. And we can get typically a cluster up and running in a matter of an hour or two. And have you been able to add and grow that in a linear fashion. So you can go from you know, your 200 gigs of ingest today, up to a terabyte, just by adding the nodes that you want, you know, it's very, very predictable in terms of growth is not complicated math, there's no lift and shift type of approach that you need to follow in order to go from A to B, you can add storage in minutes versus days a week that it would take for a typical centralized storage based architecture and the same, and you can get quick deployment options, the client and or software options will using the OEM of your choice. And the way we this is our tiered architecture that we provide. So we start with a hypervisor, right? We have an x86 server of choice, but a hypervisor gets installed. We support all of the major hypervisors, whether that be vSphere, Microsoft Hyper V, or Nutanix, his own hypervisor we call hv, the very first thing that goes on that hypervisor is what we call our controller, virtual machine, our CDM. Our CDM is directly responsible for managing all of the local media on that physical node, as we call it. And this is important because our CDs themselves are now all interconnected over your top of rack switching architecture, and are connected using a top of rack switch architecture. So now you have an aggregation of all of the media across all of the nodes that are part of this Nutanix cluster. They provide that shared storage resource in that the hypervisor themselves use. What differentiates us from any other vendor out there is that the virtual machines in this case, you have your index in the forwarders, your search heads, anytime they do reads and writes to disk, they're actually talking to the hypervisor and the local controller, they're actually doing the reads and writes on that local media on the same physical host that those virtual machines are running on. This is what we call data locality. It's something that we do that no one else in the industry really does. Data locality helps us get that same looking feel for Splunk. Especially, typically, a Splunk deployment, even in the physical world uses that local media, a local disk, to do all of its retention, whether that's a hot, warm, cold bucket, or that standard type of architecture, because you're writing and reading from that local disk. Well, lo and behold, on Nutanix system, you're doing the same thing. You're doing those reads, you're doing those writes on that local system on the physical hosts, so you have no pops to your actual store. And you don't have to go across shared storage network to be able to get at that data. There's no distributed storage network in that environment. So now, your virtual machines are doing all of their reads and writes locally, they're able to get the best off of the book performance because you don't have to go over a network to solve locally attached. The idea here using that building block approach is that we're able to scale whether that's an events per second using a computer resource or just in terms of long term retention or longer term retention, where we're adding in capacity, capacity in general. So the way that you do that is just by adding Traditional mechanics no getting back to their Lego building block approach to the architecture itself, and then be able to scale whether you want to increase your scale on just the capacity CPU, the compute side, or versus the capacity side in general and be able to do things independently of each other. So you can do one or the other, you don't have to do both at the same time, but you can, you can get from a very linear scale to do it from your 500, to a terrified to one and a half terabyte. If you're doing a terabyte, today, you want to get the two terabytes, you're going to need two times, the amount of note that you have today is very, very easy to scale that, you know, it's a very, very known unit of scale, in order to be able to increase from day one to day and where you want to be Nutanix objects. So not only do we support the traditional way of running Splunk and having the hot, frozen pockets, on a Nutanix system, and be able to lay those out individually. But Nutanix, today is also smartstore-ready, and we're certified to be able to run things on a smartstore type of basis as well. So now you can size your workload. So remember, Nutanix has always been a configure to order type of architecture, where we build out the system that you'll be running on, based on the workload that we're sizing towards. So we will make things very customized to you can possibly be. So with smartstore, now, you start with your hot retention and how long you want to maintain your searches in the hot fashion, and then you push everything off to a smart store. Nutanix objects is something that now gives you the ability to use an s3 type of connection, the smartphone requires, still be able to leverage the mechanics, multi-cloud platform is the basis for all those services. So you can run your virtualization services, you can run your VMs on Nutanix system. And then you can have a similar service that on your Nutanix platform. But now, using Nutanix objects, gives you the ability to hyper scale use that same benefit of distributing your storage over a set of nodes using that same Lego building block approach. Now be able to leverage Nutanix objects service to provide the back end storage for a Splunk as smartstore configuration as well. We do include two terabytes of utilization license for every Nutanix cluster out there as well. And you can scale your storage as and when needed. You don't have to go all in, you can add in the growth, the amount of unit of expansion that you need to be able to get to where you want to be at the end of day TCU in general. So typically, this has been another question that comes up quite a bit it's been if we're running bare metal, how are we benefiting from adding Nutanix into the mix? Well, if you look at the TCL, that we provided over bare metal, you know, our compression algorithm alone gives you 10 to 20% of the utilization that can be added on to your system. So we save you save you basic learning in that fashion added to into the mix some other enhancements in terms of data reclamation, and then we can increase that even further. To view a total cost of ownership that's much lower than physical bare metal type of installation was bumped along, even in the cases where we're running again, blocked in the cloud as well. But we're able to grow that environment and be able to give you a better return on your investment. The platform itself gives you the ability to run a lot of things aside from just general virtualization and trends. So we've been doing virtualization and management for quite a number of years in general. But we've added a lot of other pieces into the mix that help really round out the enterprise platform in general, our ALS, HB m prism, you need the ability to manage your core infrastructure. The ability to do flow gives you the ability to do micro segmentation and secure all that East West traffic for your Splunk indexers. Right. Your indexers don't need to have that communication with everything across the board, your search ads, your forwarders through using advanced services ICI, UVA, yes, all those different search ads in the mix as well can be protected from individually from each other. So you can apply those policies at that level. Then the ability to use objects as well as some of the other tools that's kind of lead to a full stack solution to be able to run all the different layers of your Splunk installation and well again, not just for indexers but be able to manage your Splunk search as well your cluster manager, your licensing all those different ancillary things along with the ability to run forwarders and Syslog. So be able to complete the route. About your entire environment in a virtualized manner on a Nutanix cluster by leveraging the CPU and the virtualization efforts. A lot of times what we hear is that, you know, we're able to run things effectively. But other benefits are we able to get from a Nutanix system. And those are some of the things that come from likely the administrative workload. So in smaller environments, and they only have a handful of virtual machines, it becomes easy enough to manage for individual user, because you're an individual administrator. But as those environments grow to larger and larger, when you end up having to scale multiple, on a bare metal type of system, those require a lot of hardware maintenance, a lot of OSHA maintenance, were all those in a virtualization world are all gone. Those are all virtual machines, do the platform itself, are managing the hardware, those are all done in an automated fashion with Lifecycle Management, doing all of the firmware updates all of the OS updates along the way. So in this case, your virtual indexer, or your virtualized indexer, doesn't have the condition that you would in a bare metal world, an indexer, in a bare metal world fails, that indexing has to be rebuilt. In a virtualized environment, that failure would just lead to the indexer restarting another health. So you'd have minimal downtime. With the advent of doing replication, factor two, search factor two, you can spread your searchable indexes across multiple physical nodes, so you can get better performance on your searches that are across the cluster as well. And all those architectures are supported, including the will to do multi-site along the way as well. Those are also at this point supported across the different cloud vendors as well. So kind of extending the on prem look and feel of the Nutanix system into the public cloud world as well. And now you're running, able to run that Nutanix software and in a public cloud venue, and be able to leverage the hybrid cloud to be able to run both your workloads on prem and on cloud and being able to do transfer between those as well to be able to replicate data back on prem and into the cloud, top Splunk on Nutanix customer use cases. So you have your same tools, you have your infrastructure ops manager, but business analytics is going to be the biggest use case, right. So that seems to be the most difficult to manage the hardest to kind of wrap our arms around to get that running. And get that in a state where it becomes easy and simple. To end here mechanics and the company itself was founded in 2009. We've actually been running workloads since 2011 and we’ve only grown from that to what we have today Splunk private cloud and big data analytics and new workloads, and really been the biggest factor as to how fast that we've been growing in the last couple of years. That and requiring the compute resources and storage capacity along with a performance storage is why you know one of the reasons we've been grown and why Splunk works very well on a Nutanix system. And we've had a lot of users start putting Splunk on a Nutanix system rather than have the small server cases with 10 to 100 gigs, or growing that 100 gigs, two terabytes or multi terabytes or 10 or 15 terabytes today. And that's kind of all I had up until now. Appreciate everyone's time.
Speaker 1: Thanks for listening. If you'd like more information on how Carahsoft or Nutanix Networks can assist your organization, please visit www.carahsoft.com or email us at Nutanix@Carahsoft.com. Thanks again for listening and have a great day.